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“Programming can be fun, so can 
cryptography; however they should 
not be combined.” 

- Kreitzberg and Shneiderman 
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Code compiles with warnings 
Warnings are turned off or over-ridden Sonccecsas te 
Insufficient warning level set 
Language safety features over-ridden 
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m= Make sure the compiler understands what you meant 
e A warning means the compiler might not do what you think 
— Your particular language use might be “undefined” 
e A warning might mean youre doing something that's likely a bug 
— It might be valid C code, but should be avoided 
e Dont over-ride features designed for safe language use 
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_ The C Language Doesnt Always Play Nice — 







= Defined, but potentially dangerous 
eif (a =b) {.. } // a is modified 
e while (x > 0); {x = x-1;} // infinite loop 


= Undefined or unspecified 5 dangerous 


e You might think you know what these do ... 
.. but it varies from system to system 


e int *p = NULL; x = *p; // null pointer dereference 
e int b; c=b; // uninitialized variable 
eTant fe lO) eS Bes x Oo): // access past end of array 
ex = (itt) + ali]; // when is i incremented? 
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Language Use Guidelines & Tools 


16 MANDATORY RULES 





=m MISRA C, C++ 
e Guidelines for critical systems in C (e.g., no malloc) 
e Portability, avoiding high risk features, best practices 
= CERT Secure C, C++, Java 
e Rules to reduce security risks (e.g., buffer overflows) 
e Includes list of which tools check which rules 
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> is DIRECTIVES 


7 ADVISORY 
DIRECTIVES 


MISRA C:2012 with Security 
= Static analysis tools 
e More than compiler warnings (e.g., strong type warnings) 
e Many tools, both commercial and free. Start by going far past “—Wall” on gcc 
=m Dynamic Analysis tools 
e Executes the program with checks (e.g., memory array bounds) 


e Again, many tools. Start by looking at Valgrind tool suite 
© 2020 Philip Koopman 4 


Rule 13.4. The result of an assignment operator should not be used 


C90 [Unspecified 7, 8; Undefined 18], C99 [Unspecified 15, 18; Undefined 32] MISRA C 
Category Advisory [Koenig 6] 2012 
Analysis Decidable, Single Translation Unit 
pekch iene Example 


Amplification 
This rule applies even if the expression containing the assignment operator is not evaluated. 


Rationale 
The use of assignment operators, simple or compound, in combination with other arithmetic operators 
is not recommended because: 
e It can significantly impair the readability of the code; 
e It introduces additional side effects into a statement making it more difficult to avoid the 
undefined behaviour covered by Rule 13.2. 


Example 
x= yi /* Compliant ui J 
al xX] =alx=y]? /* Non-compliant - the value of x = y 
/* 
* Non-compliant - value of bool var = false is used but 
* bool var == false was probably intended 
“ 
if ( bool var = false ) 


{ 
} 


[MISRA C-2012 Guidelines; Fair Use] © 2020 Philip Koopman 
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Let the Language Help! 


= Use enum instead of int 
e enum color {black, white, red}; // avoids bad values 
= Use const instead of #define 


e const uint64 t x = 1; // helps with type checking 
uint64 t y = x << 40; // avoids 32-bit overflow bug 


= Use inline instead of #define 
e If it's too big to inline, the call overhead doesnt matter 
e Many compilers inline automatically even without keyword 


m Use typedef with static analysis 


e typedef uint32 t feet; typedef uint32 t meters; 
feet x = 15; 





meters y = x; // feet to meters assignment error rom 





m Use stdint.h for portable types 
e int32_t is 32-bit integer, uint16_t is 16-bit unsigned, etc. © 2020 Philip Koopman 6 


Deviations & Legacy Code 


m Use deviations from rules with care 
e Use “pragma’ deviations sparingly; comment what/why 









= What about legacy code that generates 

lots of warnings? 

e Strategy 1: fix one module at a time 
— Useful if you are refactoring/re-engineering the code 
—- Sometimes might need to keep warnings off for 3" party headers 

e Strategy 2: turn on one warning at a time 
— Useful if you have to keep a large codebase more or less in synch 

e Strategy 3: start over from scratch 
— If the code is bad enough this is more efficient ... if business conditions permit 
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Or — You Can Use A Better Language! 


= Desirable language capabilities: 
e Type safety and strong typing (e.g., pointers aren't ints) 
e Memory safety (e.g., bounds on arrays) 
e Robust static analysis (language & tool support) 
e In general, no surprises 





procedure Increment (X : in out Counter_Type) 
with Global => null, 
Depends => (X =>-X); 


m Spark Ada as a safety critical language 


Pre => X < Counter_Type'Last, 
e Formally defined language; verifiable programs Boe a ht re ee 
“ ’ ss os . . Wikipedia 
The language doesnt have “eee es or undefined behaviors httos://qo0.gl/3w6RF6 
e You can prove that a program is correct 
‘ bo le Spark Ada is a subset 
— E.g., can prove absence of: array index out of range, division by zero oftherdda 
— (In practice, this makes you clean up your code until proof succeeds) Martial > 


e Key idea: design by contract 
— Preconditions, post-conditions, side effects are defined © 2020 Philip Koopman 8 


Language Style Best Practices 


= Adopt a safe coding style (or a safe language) 

e MISRA C & CERT C are good starting points 

e Specify a static analysis tool and config settings 

— To degree practical, let machines find the style problems 

e When static analysis is set up, add dynamic analysis 
= The point of good style is to avoid bugs 

e Let the compiler find many bugs automatically 

e Reduce chance of compiler mistaking your intention 
= Coding style pitfalls: 

e “The code passes tests, so warnings don't matter” 

e Real bugs lost in a huge mass of warnings 

e Making it too easy to deviate from style rules © 2020 Philip Koopman 9 
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Its only a clever hack if youve the one who wrote it Maybe theyll just go away on their own. 
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A Practical Guide 
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O RLY: @ ThePracticalDev 
ORLY? @ ThePracticalDev = 


https://goo.gl/pvDMHX CC BY-NC 2.0 https://goo.gl/pvDMHX CC BY-NC 2.0 


IT'S LIKE YOU RAN OCR ON — | | IT LOOKS LIKE SOMEONE 
A PHOTO OF A SCRABBLE. | | TRANSCRIBED A NAVAL WEATHER 
BOARD FROM A GAME. WHERE | | FORECAST WHILE. WOODPECKERS 
JAVASCRIPT RESERVED WORDS | | HAMMERED THEIR, SHIFT KEYS, 
COUNTED FOR TRIPLE. POINTS. | | THEN RANDOMLY INDENTED IT. 


TS LIKE AN EE CUMMINGS | | THIS LOOKS LIKE THE OUTPUT OF A MAKKOV 
POEM URITTEN USING ONLY | | BOT THATS BEEN FED BUS TIMETABLES From 


SUGGESTS WHEN THE ONE 
YOU WANT 1S TAKEN. 


© 2020 Philip Koopman 11 





https://xkced.com/1695/ 


